[ossec-list] Re: Integrity checksum changing ..... half a day after the change actually happened

Fri, 07 Feb 2014 10:28:49 -0800 

On my server, this is the setting I have:

<syscheck>
    <!-- Frequency that syscheck is executed -- default every 20 hours -->
    <!-- 15 min = 900 -->
    <!-- 20 hours = 72000 -->
    <frequency>300</frequency>

And on the shared agent.conf, this is what I have:

<syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>300</frequency>

Per my understanding, the agents and server should all be scanning every 5 
minutes.  Am I incorrect?




On Thursday, February 6, 2014 1:05:11 PM UTC-7, Sean Jackson wrote:
>
> These emails come during the morning, and the on-call guys are weary from 
> getting them when they come.  
>
> Can anyone help me tune OSSEC so they come closer to when changes were 
> made (the changes in these examples happened 12-14 hours earlier)?
>
> OSSEC HIDS Notification.
> 2014 Feb 06 04:40:34
>
> Received From: (xxxxxxxxxx) XXX.XX.58.194->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/usr/bin/git-check-attr'
> Size changed from '1412976' to '1417808'
> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2'
> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a'
> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b'
> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20'
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2014 Feb 06 04:40:38
>
> Received From: (xxxxxxxx) XXX.XX.58.194->syscheck
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for: '/usr/bin/git-merge'
> Size changed from '1412976' to '1417808'
> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2'
> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a'
> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b'
> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20'
>
>
>
> --END OF NOTIFICATION
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to